Card holders’ information continues to be stolen; all mum on local businesses affected by suspected data breach

EASTHAMPTON — City resident Elizabeth Hildebrandt said she has had her debit card information stolen twice, once at the end of May and again at the end of June, after shopping at stores in Easthampton.

It has been nearly four months since banks and law enforcement started to suspect that data breaches at retailers in Easthampton and Southampton were causing thousands of customers’ debit cards to be used fraudulently around the country.

Now, Hildebrandt, 40, said she uses only cash when shopping in the city. Withdrawing money from the bank is just a small inconvenience, she said, but she is mostly annoyed that no one will warn customers where they should not use their cards.

“Most of the problem is that no one is saying anything. It feels like nothing’s safe,” she said.

She said she understands why businesses are reluctant to announce that they have had their security breached. “I’m not angry, it’s just frustrating and it seems endless. Because even if it is fixed, they won’t tell us.”

A friend of hers is boycotting the businesses that he suspects may have been breached after he also had his card compromised twice, she said. “He said he would have at least gone there and used cash if they had admitted it,” she said.

But no one is admitting anything. The Gazette’s attempts to learn the names of the businesses that were hacked have been unsuccessful. Representatives from banks, credit card companies, and police have declined to name suspected businesses, saying they are not certain they are to blame. The Greater Easthampton Chamber of Commerce and the area’s Better Business Bureau say that they have not received any complaints about cards being compromised at local retailers.

Most calls and emails to retailers in the community have gone unreturned. Several have denied that breaches have occurred at their businesses, and one business owner said he could not verify there was a breach but he was investigating the possibility.

Easthampton Savings Bank President and CEO Matthew S. Sosik said that since banks and law enforcement first informed businesses that their card readers, computer networks or other systems may have been breached, most businesses have upgraded their security and fixed the problem.

But some of them have done nothing and are continuing to hand over customers’ card information to hackers, Sosik said. If that continues, their names are likely to be made public, according to a representative of the Massachusetts Bankers Association.

Bruce E. Spitzer, the association’s communications director, said that the association does not have close community ties like local banks and thus is more likely to feel comfortable pressuring retailers by naming them publicly.

“If a particular retailer is visited by a banker, law enforcement and customers and everyone is saying, ‘you have a problem,’ and the retailer doesn’t fix it, they need to be publicly shamed,” he said. “That is the likely outcome if they ignore it. Someone could go public, and it could be the Massachusetts Bankers Association or the local police.”

Spitzer said the association gets reports from its member banks about suspected data breaches in the area, but is not yet ready to name names because it needs to be certain.

“The Massachusetts Bankers Association is capable of identifying the retailers who are at fault,” he said. “Growing information may make us more comfortable doing it, but not yet at this time... As each bad transaction occurs, there will be more certainty.”

Close monitoring

Sosik said that thousands of people’s cards have been compromised. Some people have had to have their cards reissued four or five times due to the security breaches.

The bank that issues the card — whether a local bank or a national chain — will always reimburse the person for any fraudulent charges, Spitzer said. The fraud prevention companies that the banks work with are also carefully monitoring accounts for unusual uses, such as large withdrawals or out-of-state charges, he said.

Sosik said the number of fraudulent charges is “way down from the peak” in May and June, but that is likely due more to the close monitoring of accounts than because of retailers upgrading their security.

Local banks are in a frustrating position, he said, because they want to protect their customers from fraudulent charges, but do not want to damage a retailer’s reputation by “pointing fingers and slapping wrists when we’re not certain.”

“It’s the lack of a 100 percent conviction,” he said. “Federal authorities are in the area, on the case, trying to solve it.” Local law enforcement and the U.S. Secret Service are investigating.

Sosik said he thinks the retailers that have had their security breached include “a handful” in Easthampton and one or two in Southampton.

Southampton Police Chief David Silvernail said his department has not received any reports from residents about fraudulent charges.

Easthampton Police Chief Bruce W. McMahon said the reports of fraudulent charges his department has received are down to about one per week. “They’ve really slowed down substantially because everyone is aware of it,” McMahon said.

Like Sosik, he said his department will not be naming names “because we really can’t be 100 percent sure.”

Peaks and valleys

Denise Gross, the executive assistant of the Greater Easthampton Chamber of Commerce who is now filling in as interim director, said that neither businesses nor customers have reported that the breaches have made customers less likely to shop in Easthampton.

But some people are expressing frustration like Hildebrandt.

“We’ve heard people say that it would be nice to know which businesses are affected,” Gross said, so they could use cash instead.

At Florence Savings Bank, which has a branch in Easthampton, a representative said the bank has not seen any slowing of the reports of fraudulent charges.

“There have been some peaks and valleys, but it is continuing,” said Monica Curhan, the bank’s senior vice president and marketing director.

She also said the bank cannot name the businesses it suspects.

“It’s in the hands of law enforcement. We’ve done everything we can in terms of reporting it. Now all we can do is continue to issue new cards to people whose cards have been compromised,” she said.

The Gazette is waiting on the results of a public records request to the state attorney general’s office seeking documents relating to data breaches at businesses in Easthampton and Southampton. Businesses and the banks that run their card reader services are required by law to report any suspected data breaches to the attorney general’s office.

“Our office reviews and takes seriously all data breaches that put Massachusetts consumers at risk, and works to ensure that businesses comply with state notification laws,” said Jillian Fennimore, the office’s deputy press secretary. It is the policy of that office to never confirm or deny an investigation.

Next wave of breaches

Spitzer said that in recent years, the public has become much more savvy about data breaches because of the media coverage of big data hacks like those at Target and TJX Companies.

But hackers don’t only hit big chains, he said. In fact, small businesses are generally more likely to have weaker security for customers’ card information.

“Hackers are targeting small businesses. We think this is the next wave of data breach problems. There are only so many Targets in the world with weak security,” he said.

As for data breaches affecting not just one but several businesses in a community, Spitzer said, “We hear about them almost every day.”

He said “a likely scenario” is that a hacker in another part of the world hacks into the computer network of one local retailer, successfully gets card information and sells it online, and then decides to see what other retailers in the area have low security. “War driving” is also another possibility, he said. The practice involves driving around with laptop and hacking into businesses’ wireless networks to get customers’ card information.

A credit card company or the bank that is in charge of card reader services is likely the first to inform a business about a possible breach. When local banks learn about it, Spitzer said, they usually encourage the business to hire an information technology consultant to examine the business’ hardware, security system and procedures and make a recommendation about how to improve it.

“We reached out to each business that may have been impacted,” Sosik said. “Typically that was via phone, but some of that contact was face-to-face.”

He said the levels of communication with each business varied based on how receptive they were to the information.

After a business hires an IT specialist, it’s a matter of paying to implement those recommendations, whether it be new software or changing employee procedures, Spitzer said. He declined to estimate a cost, saying that each situation is different.

But if the changes only need to be made at one location, as opposed to a chain of stores, they should not take long to implement. Certainly not months, he said, so the fact that the breach is ongoing is an indication that at least one business owner has chosen instead to ignore the problem.

“These retailers have been blase about protecting their customers. It’s almost shameful,” he said, clarifying that not all retailers fall in that category. “Smart retailers recognize that security is part of the cost of doing business and have installed the latest security systems.”

He said businesses have “no skin in the game” because banks reimburse customers for any fraudulent charges and issue them new cards, which costs the banks about $5 to $15 each time.

“It’s not a matter of cost,” he said, so much as it is about customers getting sick of having their cards reissued again and again. After they go through four or five debit cards in a few weeks, they may just stop using a debit card at all, which is not good for banks.

Sosik said local banks cannot do much to pressure businesses to fix the problem. “We could shut them off, so our cards wouldn’t work in their store, and that has been considered,” he said. But it has not been done because it is a big inconvenience to customers, he said.

“And frankly, unless many of the local issuers took a stand like that, it probably wouldn’t matter much,” he said.

Eventually, though, customers will figure out where they were shopping before each time their card was compromised.

“It could drive you out of business, or if you have to become cash only, you may lose 50 percent of your customers,” he said.

Sosik said he thinks the data breach will dry up eventually, due to a combination of retailers improving security, banks monitoring for fraudulent usage, and people figuring out which businesses they should stop shopping at.

“People have been forgiving, but sometime, the card-carrying public will say, ‘enough,’ he said.

But Spitzer said the leaking of card information may end due to the Massachusetts Bankers Association announcing the names of businesses with weak security. That could occur whenever the association’s leaders decide they are comfortable with the breach information provided by member banks.

“For God’s sake, if you are the source of the problem and it’s happening over and over, public shaming may have to happen,” he said. “Is that any way to run a business?”